A vast community of Microsoft Office365 users that are working together to support the product and others.
2FA can't get setup with MS Authenticator App
Very recently (past few days), we had a user suddenly sending 10,000+ (spam) emails from his O365 email account.
I checked yesterday and his account was being logged into recently from multiple countries.
To make matters worse, this user is one of the VPs of the company.
I wasn't able to contact him right away, so I initially put in a transport/mailflow-rule to block all emails being sent to addresses outside the company. This morning we connected with him. We changed his O365 password, kicked off any currently logged in o365 connections for the user, turned on MFA for his account and disabled the mailflow rule preventing emailing to external email addresses.
This is where things go south. We bring up outlook on his laptop in his office. Office/Outlook then prompted with the expected prompts to choose which type of 2fa we wanted to use. (The VP does not want to have to type in a several digit code each time. so we went with MS Authenticator versus Google Authenticator)We go through the process of installing the MS App on the guy's phone (Google Pixel phone). That installs fine and we scan the QR Code and it created an account on his phone under his O365 name and I'm thinking we're good to go as have been in the past.
My desktop guy then runs into issues getting the VP going. I come over and see that, each time you try load up outlook on the VP's tablet, it prompts again that our org requires more info and goes through the 2fa setup screens again. Since we already have MS Authenticator app on the guy's phone and the o365 user account already setup in it from the previous times through the setup screens earlier today, I click next through those steps until the end.
I now see the little spinning icon signifying its completing the 2fa activation just keeps spinning and spinning, until eventually it gives a timeout error. I checked and connection to the internet was good, and other apps running without issue. I thought, "well, since it wasn't actually 'me' that installed and setup the MS Authenticator app on the VP's phone, I removed the account that was setup earlier on it and and recreated it from scratch following the Office prompts and scanning the QR code again to create the account under MS Authenticator again. Once again it times out on MS side when trying to finish the process.
At this point the VP has been unable to get into his email and needed to be around & bugged by IT for a good chunk of today to get his thumbprint to unlock etc his phone.... I opted to go with the other option for now to have it send a text msg with a code to his phone instead. This worked right away and he was then able to get into his email etc. I exited out of outlook and then tried logging into it again and was surprised he didn't get another code text, and it instead let me right in to email again on his laptop. I'm guessing because he already did authenticate once via texted code, so there must be some other MS Office services etc still running and now the login was already authenticated.
I've googled a bit this afternoon looking to see what the bottleneck may be and how to resolve it, but, so far I've not had luck. I've personally done this same 2FA setup using MS Authenticator with another employee a few months ago. That time all went smooth and as expected. Now trying to do same with a VP user, of course there is an odd hiccup (grrr) Both current VP user and the previous successfully setup user are in the same office building and under the same tenant and same domain.
I'll keep googling, but thought I'd also ask the community for thoughts.
Thank you and sorry for the length of this post!
Your user account may be blocked from using Azure Multi-Factor Authentication. Check entra->security->mfa and check if user is being blocked https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-mfasettings#block-and-unblock-users
This. I had one user get hit with this so far.
I think they moved the MFA security portion of Entra. Entra>Protection>Multifactor Authentication.
Half the Google searches for Azure AD settings instructions are incorrect because of the Entra re-org
Make sure the VP cell phone has automatic time enabled from cell towers. I've seen some people turn off the auto time and it will be off by a minute or 2 and cause issues.
Did you try to reinstall the application and then try again? Found this helps when setting up the Ms authenticator. Or at least it worked for me.
Please also check for any suspicious connectors under mail flow in Exchange Admin Center and do check out conditional access policies in entra Admin portal